If you are a small company, you may not be aware of the importance of patching to minimize vulnerabilities. If you are from a large company, you probably understand the importance but don’t have the resource, time, or diligence to implement a robust patching program. Patching is the most important part of any vulnerability management program, but most companies get a failing grade and leave themselves open to preventable cyberattacks.
We all make mistakes in life, right? It’s no different in the programming world. Software applications can contain millions of lines of code, and it is impossible to get it perfect and secure, especially on the first release. Application developers know this and have weighed the risks versus benefits with each release. Developers would go out of business if they waited until the software application was perfect. The quicker it is released, the sooner everyone can capture the gains, most of the time that is revenue and profit.
Applications are released knowing there will have to be updates to “fix” discovered issues. As part of the release plan, development teams are assigned to work on known and discovered issues. Have you ever wondered way the software versions have multiple numbers assigned?
Patching is basically keeping your software version up to date. The software needs to be consistently updated to stay current and fix any known issues. Remember, the bad guys are out there waiting to take advantage of any reported weaknesses – they can use those to gain access to your system, to steal, manipulate, spy, or corrupt your information. Patching is always a race. You need to get the patches applied before the bad guys get a foot in your door.
You should be concerned with three types of patching in your business. Each is important and all of them are essential for good vulnerability management.
Operating Systems (OS) and Networking Operating Systems (NOS) are the most common and arguably the most important. These operating systems are primarily from Microsoft, like Windows 10 for your computer and Windows Server 2019 (NOS) for your server. Microsoft literally has something called Patch Tuesday. Security updates are released the second Tuesday of every month. Other, non-security patches are released on the fourth Tuesday of every month. You can see this is not a one-and-done type of event. This a continued series of updates that will never stop.
Fortunately, Microsoft has automated the patching with Windows 10 computers. Thank goodness! Patches will automatically be deployed to computers via your Internet connection. You can defer them for up to 30 days. You must restart your computer for the patches to be applied. That takes of that issue, right? Well, not really…
Unfortunately, Microsoft does not automate feature releases. You are not forced to upgrade to the latest feature release. Microsoft uses build numbers to identify their OS versions. You might have one computer running Windows 10 version 1909 and another computer running Windows 10 version 1607. These will require different patches to stay current. Generally, Microsoft will support a feature release for two years. After that, they will stop providing patches for that version. What frequently happens is users think they are up to date with Windows 10, but they really have an out of date, unsupported OS. The users will then experience slow performance or certain features will stop working. This also increases vulnerabilities and the risk for cybersecurity attacks.
Here is how to check your Windows version: Start > Settings > System > About
Open your Start menu and click on the gear icon for Settings
Find the System icon and Settings
Select About in the menu. Scroll down the Windows specification to see the Version.
So, are you current?
For servers (NOS) it’s a little trickier to manage. The real trick for servers is having a maintenance window for rebooting. That proves to be difficult since you might have users accessing the server 24/7. Often this is done at night or when the server has low or no usage. You can automate the rebooting process, but sometimes servers fail to restart correctly, and users will experience downtime. Most of the time it is safer to have someone managing the process.
Applications also need to be patched. Basically, anything that is not an operating system is called third-party patching. Third-party patching covers hundreds of different applications. Think of applications like Adobe, Flash, Citrix, Google Drive, and Zoom just to name a few. The same theory applies to third-party patching. You need to fix the known issues by loading the latest patch. Some applications will auto update, but most will not. Multiply the number of applications by the number of users, and it is an impossible task to manually keep everyone on the updated version.
Of course, trusting end users or admins to get all the updates loaded correctly is a huge risk as well. In December 2020, 18,000 SolarWinds customers installed a hacked update containing malware and malicious code. Once this was installed, hackers gained access to countless systems.
It is a good idea to control the number applications allowed on the corporate environment. Users may gain productivity from specific application, but often the risk and support complexity are not worth it. A whitelist and blacklist should be deployed to monitor the list of applications for all users.
Firmware is sometimes forgotten in the vulnerability management plan. Think of infrastructure devices like firewalls, switches, IoT cameras, wireless access points and routers. Yes, that is hardware, but they all run internal application software inside. Same thing here. Mistakes are made in the internal application that need to be fixed. If not, you are leaving the door open for someone to get in. Firmware should be reviewed every quarter. Almost all firmware has at least an annual update.
It is up to hardware manufacturers to stay ahead of curve to prevent security vulnerabilities to their hardware. It is up to the customer to make sure those updates get applied correctly. According to Dell, only 59% of companies have implemented a hardware security strategy. Keeping firmware updates current is difficult due to the lack of vision and access to the devices. It is also very time consuming and often a very manual process.
Now that you know what patching is and the different types of patching, it is time to get a plan implemented. Patching is required for every vulnerability management plan. It does not happen by itself and takes careful planning and due diligence to stay at the top of your game.
If you are just managing your personal computer and home office, you can easily manage that. You’ll need to automate at least part of the process once you start to scale the vulnerability management plan across your organization. For more information check out our website at www.pro-stratus.com
We’ll also update this article with links to solutions and future related articles.